Security Models
Security models of control are used to determine how security will be implemented, what subjects can access the system, and what objects they will have access to. Simply stated, they are a way to formalize security policy. Security models of control are typically implemented by enforcing integrity, confidentiality, or other controls. Keep in mind that each of these models lays out broad guidelines and is not specific in nature. It is up to the developer to decide how these models will be used and integrated into specific designs, as shown in Figure 5.5.
Figure 5.5. How security models are used in the design of an OS.
The sections that follow discuss the different security models of control in greater detail. The first three models discussed are considered lower-level models.
State Machine Model
The state machine model is based on a finite state machine, as shown in Figure 5.6. State machines are used to model complex systems and deals with acceptors, recognizers, state variables, and transaction functions. The state machine defines the behavior of a finite number of states, the transitions between those states, and actions that can occur.
Figure 5.6. Finite state model.
The most common representation of a state machine is through a state machine table. For example, as Table 5.3 illustrates, if the state machine is at the current state of (B) and condition (2), the next state would be (C).
Table 5.3. State Machine Table
State Transaction |
State A |
State B |
State C |
Condition 1 |
... |
... |
... |
Condition 2 |
... |
Current State |
... |
Condition 3 |
... |
... |
... |
A state machine model monitors the status of the system to prevent it from slipping into an insecure state. Systems that support the state machine model must have all their possible states examined to verify that all processes are controlled. The state machine concept serves as the basis of many security models. The model is valued for knowing in what state the system will reside. As an example, if the system boots up in a secure state, and every transaction that occurs is secure, it must always be in a secure state and not fail open.
Information Flow Model
The Information Flow model is an extension of the state machine concept and serves as the basis of design for both the Biba and Bell-LaPadula models, which are discussed in the sections that follow. The Information Flow model consists of objects, state transitions, and lattice (flow policy) states. The real goal of the information flow model is to prevent unauthorized, insecure information flow in any direction. This model and others can make use of guards. Guards allow the exchange of data between various systems.
Noninterference Model
The Noninterference model as defined by Goguen and Meseguer was designed to make sure that objects and subjects of different levels don’t interfere with the objects and subjects of other levels. The model uses inputs and outputs of either low or high sensitivity. Each data access attempt is independent of all others and data cannot cross security boundaries.
Confidentiality
Although the preceding models serve as a basis for many security models that were developed later, one major concern is confidentiality. Government entities such as the DoD are concerned about the confidentiality of information. The DoD divides information into categories to ease the burden of managing who has access to what levels of information. DoD information classifications are sensitive but unclassified (BU), confidential, secret, and top secret. One of the first models to address the needs of the DoD was the Bell-LaPadula model.
Bell-LaPadula
The Bell-LaPadula state machine model enforces confidentiality. The Bell-LaPadula model uses mandatory access control to enforce the DoD multilevel security policy. For a subject to access information, he must have a clear need to know and meet or exceed the information’s classification level.
The Bell-LaPadula model is defined by the following properties:
- Simple security property (ss property)—This property states that a subject at one level of confidentiality is not allowed to read information at a higher level of confidentiality. This is sometimes referred to as “no read up.”
- Star * security property—This property states that a subject at one level of confidentiality is not allowed to write information to a lower level of confidentiality. This is also known as “no write down.”
- Strong star * property—This property states that a subject cannot read/write to object of higher/lower sensitivity.
Although the Bell-LaPadula model did go a long way in defining the operation of secure systems, the model is not perfect. It did not address security issues such as covert channels. It was designed in an era when mainframes were the dominant platform. It was designed for multilevel security and takes only confidentiality into account.
Integrity
Integrity is a good thing. It is one of the basic elements of the security triad along with confidentiality and availability. Integrity plays an important role in security because it can verify that unauthorized users are not modifying data, authorized users don’t make unauthorized changes, and that databases balance and data remains internally and externally consistent. Although governmental entities are typically very concerned with confidentiality, other organizations might be more focused on the integrity of information. In general, integrity has four goals:
- Prevent data modification by unauthorized parties
- Prevent unauthorized data modification by authorized parties
- Must reflect the real world
- Must maintain internal and external consistency
Two security models that address secure systems for the aspect of integrity include Biba and Clark-Wilson. Both of these models are addressed next.
Biba
The Biba model was the first model developed to address the concerns of integrity. Originally published in 1977, this lattice-based model has the following defining properties:
- Simple integrity property—This property states that a subject at one level of integrity is not permitted to read an object of lower integrity.
- Star * integrity property—This property states that an object at one level of integrity is not permitted to write to an object of higher integrity.
- Invocation property—This property prohibits a subject at one level of integrity from invoking a subject at a higher level of integrity.
Biba addresses only the first goal of integrity—protecting the system for access by unauthorized users. Availability and confidentiality are not examined. It also assumes that internal threats are being protected by good coding practices, and therefore focuses on external threats.
Clark-Wilson
The Clark-Wilson model was created in 1987. It differs from previous models because it was developed with the intention to be used for commercial activities. This model addresses all the goals of integrity. Clark Wilson dictates that the separation of duties must be enforced, subjects must access data through an application, and auditing is required. Some terms associated with Clark Wilson include
- User
- Transformation procedure
- Unconstrained data item
- Constrained data item
- Integrity verification procedure
Clark-Wilson features an access control triple. The access control triple is composed of the user, transformational procedure, and the constrained data item. It was designed to protect integrity and prevent fraud. Authorized users cannot change data in an inappropriate way. It also differs from the Biba model in that subjects are restricted. This means a subject at one level of access can read one set of data, whereas a subject at another level of access has access to a different set of data. Clark-Wilson controls the way in which subjects access objects so that the internal consistency of the system can be ensured and that data can be manipulated only in ways that protect consistency. Integrity verification procedures (IVPs) ensure that a data item is in a valid state. Data cannot be tampered with while being changed and the integrity of the data must be consistent. Clark-Wilson requires that all changes must be logged. Clark-Wilson is made up of transformation procedures (TP). Constrained data items (CDI) are data for which integrity must be preserved. Items not covered under the model are considered unconstrained data items (UDIs).
Take-Grant Model
The Take-Grant model is another confidentiality-based model that supports four basic operations: take, grant, create, and revoke. This model allows subjects with the take right to remove take rights from other subjects. Subjects possessing the grant right can grant this right to other subjects. The create and revoke operations work in the same manner: Someone with the create right can give the create right to others and those with the revoke right can remove that right from others.
Brewer and Nash Model
The Brewer and Nash model is similar to the Bell-LaPadula model and is also called the Chinese Wall model. It was developed to prevent conflict of interest (COI) problems. As an example, imagine that your security firm does security work for many large firms. If one of your employees could access information about all the firms that your company has worked for, he might be able to use this data in an unauthorized way. Therefore, the Chinese Wall model is more context oriented in that it prevents a worker consulting for one firm from accessing data belonging to another, thereby preventing any COI.
Other Models
A security model defines and describes what protection mechanisms are to be used and what these controls are designed to achieve. Although the previous section covered some of the more heavily tested models, you should have a basic understanding of a few more. These security models include
- Graham Denning model—This model uses a formal set of protection rules for which each object has an owner and a controller.
- Harrison-Ruzzo-Ullman model—This model details how subjects and objects can be created, deleted, accessed, or changed.
- Lattice model—This model is associated with MAC. Controls are applied to objects and the model uses security levels that are represented by a lattice structure. This structure governs information flow. Subjects of the lattice model are allowed to access an object only if the security level of the subject is equal to or greater than that of the object. Every subset has a least upper bound and a greatest lower bound.